On June 20, 2023, the National Assembly passed the Law on Protection of Consumers’ Rights No. 19/2023/QH15 (“LPCR”), effective from July 1, 2024, replacing the Law on Protection of Consumers’ Rights No. 59/2010/QH12. The new LPCR has set many requirements for protecting consumers’ information for trading organizations and individuals based on standards of personal data security prescribed in Decree 13/2023/ND-CP issued on April 17, 2023 (“Decree 13”).
Definition of consumers’ information
Consumers’ information is defined in Clause 3, Article 3 of LPCR as “consumers’ personal information, information about their process of purchasing and using products, goods and services and other information related to transactions between consumers and trading organizations and individuals.”
Based on Clause 15, Article 3 of the Law on Cyber Information Security 2015 and Article 2 of Decree 13, the consumer’s personal information can be determined as information that pertains to a specific person or is used to identify a specific person, such as full name, phone number, bank account, residence, and other information specified in Clauses 3 and 4, Article 3, Decree 13.
Obligation to protect consumers’ information of trading organizations and individuals
According to Article 15 of LPCR, trading organizations and individuals that, on their own or by authorizing or hiring a third party, collect, store, use, edit, update, and delete consumers’ information, must ensure the safety and security of consumers’ information. In order to fulfill this information protection obligation, trading organizations and individuals must fully comply with the provisions of LPCR.
Formulating principles of consumers’ information protection
Trading organizations and individuals collecting, storing, and using consumers’ information must formulate information protection principles that apply generally to consumers with the following contents:
- Purpose of collecting information;
- Scope of information use;
- Information storage period;
- Measures to protect information and ensure consumers’ information security.
Principles of consumers’ information protection must be made public by trading organizations and individuals via posting them in a visible position at headquarters, and business locations and posting on websites, and application software (if any), facilitating consumers’ access before or at the time of information collection.
Notifying when collecting and using consumers’ information
Trading organizations and individuals must notify consumers clearly, publicly, and in a suitable form about the purposes, scope of collecting and using information, storage period of consumers’ information before carrying on and must obtain the consent of the consumers, except in the case of collecting information that has been made public by the consumers or other cases as prescribed by law.
Trading organizations and individuals are responsible for establishing a mechanism for consumers to choose the scope of information to provide and express their agreement or disagreement, except in the case of collecting information that has been made public by the consumers or other cases as prescribed by law.
Before changing the purposes or scope of information use notified to consumers, trading organizations, and individuals must re-notify and obtain consumers’ consent to the change.
Using consumers’ information for the exact purpose and scope agreed by the consumers
Using consumer information includes sharing, disclosing, and transferring consumers’ information to third parties.
Trading organizations and individuals are obliged to use consumers’ information accurately, in accordance with the notified purposes and scope, and must obtain the consent of the consumers, except in the following cases:
- Having a separate agreement with consumers on the purposes and scope of use other than the notified purposes and scope;
- In order to sell and provide products, goods and services at the request of consumers and only within the scope of information agreed by consumers;
- In order to perform obligations according to the provisions of laws.
Article 17 of Decree 13 also stipulates cases where personal data can be processed without the consent of the data subject, including some cases not mentioned in the LPCR as follows:
- In an emergency where it is necessary to immediately process relevant personal data to protect the life and health of the data subjects or other people;
- Disclosure of personal data according to laws.
Trading organizations and individuals collecting and using consumers’ information must have a mechanism for consumers to choose whether or not to allow the following acts:
- Sharing, disclosing, and transferring information to third parties, except in cases where trading organizations or individuals transfer information that has been collected in accordance with laws to a third party for storage or analysis to serve the transferor’s business activities and both parties have a written agreement that the third party is responsible for protecting consumers’ information according to regulations;
- Using consumers’ information to advertise and introduce products, goods, services and other commercial activities.
Ensuring the safety and security of consumers’ information
Trading organizations and individuals are obliged to ensure the safety and security of consumers’ information that they collect, store, use, and take measures to prevent the following acts:
- Theft or illegal access to information;
- Illegal use of information;
- Illegal editing, updating, or destruction of information.
When there are feedback, requests, or complaints from consumers related to information being illegally collected or used for the wrong purposes or outside the scope as notified, trading organizations and individuals must receive and resolve the issue quickly and timely.
In case the information system is attacked, creating a risk of consumers’ information safety and security loss, trading organizations, individuals or relevant information storage parties must notify the competent state authorities within 24 hours from the time of discovering that the information system has been attacked and take necessary measures to ensure the safety and security of consumers’ information according to the provisions of laws on cybersecurity, cyber information security, electronic transactions and other relevant laws. This regulation is different from Clause 1, Article 23 of Decree 13 where the time limit for notifying the Ministry of Public Security in case of detecting a violation of personal data protection regulations in the Decree is up to 72 hours, triple the time limit specified in the LPCR.
Inspecting, modifying, updating, destroying, transferring, and stopping the transfer of consumers’ information
Consumers have the right to request trading organizations and individuals to inspect, modify, update, destroy, transfer, or stop transferring their information to third parties. Trading organizations and individuals are responsible for performing the above requirements or providing consumers with tools and information to perform such actions themselves according to the provisions of laws.
Trading organizations and individuals must destroy consumer information at the end of the storage period as prescribed in their consumers’ information protection principles or other relevant laws.
The new regulations on protecting consumer’s information in the new LPCR are quite comprehensive, setting out detailed obligations for trading organizations and individuals throughout the process of collection, storage, use and destruction of consumer information. These regulations have a strong impact on the customer policies of domestic and foreign trading organizations and individuals whose goods and services are produced or consumed in Vietnam, forcing sellers to pay attention to and properly protect consumers’ information in the context that the rights to privacy, personal secrets, and family secrets are being threatened by the explosion of information technology.
PrivacyCompliance provides solutions related to ensuring compliance with personal data regulations, assessing the impacts of personal data processing, drafting impact assessment dossiers, and cross-border data transfer dossiers.
PrivacyCompliance
#consumerprotection #LPCR #dataprotection #consumerinformation #Decree13
Do foreign enterprises have to store their data in Vietnam?
In this day and age, data in general is increasingly becoming more and more valuable. Most service-based companies live off data collected from their clients, prime examples of this type of companies include social media networks such as Facebook or search engines such as Google where user data is being used for commercial purposes on […]
Learn more
The decree on personal data protection has been officially issued
On April 17, 2023, the Decree on Personal Data Protection has been issued as Decree No. 13/2023/ND-CP (hereinafter referred as “Decree”) and officially takes effect on July 1st, 2023. This is the first legal document that directly regulates the issue of personal data in Vietnam, which is anticipated to have substantial impacts on not only […]
Learn more
Managing spam messages and calls in Vietnam
Spam messages and calls have been defined as advertising messages and calls which are made without users’ prior consent as well as not being under the receiving responsibility of the recipients. So the question to be raised is why, despite the unwillingness to receive advertising information, do people still get those undesirable messages and calls? […]
Learn more